Integrated Oncology Network breach impacts 25 centers, faces lawsuits

Integrated Oncology Network (ION) recently notified practices of a massive breach. Now, the business associate is facing legal pressure. 

What happened

ION, a Tennessee-based business associate for oncology providers, notified the Department of Health and Human Services (HHS) on June 27th of a data breach initially estimated to impact 4,174 individuals. 

Since then, however, approximately 25 oncology providers have notified the HHS of data breaches connected to the event at ION. It’s estimated that the breach ultimately impacted over 100,000 individuals. 

The breach included a variety of data, such as addresses, dates of birth, financial account information, diagnosis and treatment information, health insurance and claims information, and more. For some individuals, the breach may have also involved Social Security numbers. 

Going deeper

ION, which provides administrative services to oncology practices, stated that the vector of attack was email. Although ION did not state when the attack occurred, the company shared that they concluded their investigation on May 9th. The investigation determined that patient information had been accessed through some employee email and SharePoint accounts. Access occurred between December 13th, 2024, and December 16th, 2024. 

ION began providing notifications to practices on June 13th. On June 27th, ION also began mailing notices to patients. 

Why it matters

In this particular case, it’s clear that it has taken time to notify the practices and the public regarding the breach, especially as new information continues to come out. When these cases are drawn out, it can be difficult for impacted individuals to know how to respond–individuals may want to review older statements, as well as remain vigilant in monitoring their current accounts. 

Aside from notices continuing to be sent to impacted patients, the incident is also under investigation by multiple legal firms. 

ION has stated that this breach was caused by a phishing attack, which is easily preventable with the right cybersecurity software. Tools like the Paubox Email Suite can ensure phishing attempts are caught before they ever reach employee inboxes, keeping patients, providers, and practices, secure. 

FAQs

Why do breaches take so long to be announced? 

Breaches are generally announced within 60 days of discovery, as required by HIPAA. However, the timeline can become stretched if the organization believes disclosure could impede the investigation. Furthermore, when multiple organizations are involved–which is common when the breach begins with a business associate–it can take additional time for providers to be notified and then, ultimately, patients. 

Who provides breach notifications for business associates? 

Breach notifications are generally provided by the impacted organization, but business associates may not always have up-to-date contact information for victims. In these cases, the practice and business associate may come to an agreement about who will provide the notification.